CVE-2007-1458

Name of the Vulnerable Software and Affected Versions CARE2X version 1.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the root path parameter to various PHP files, including (1) inc checkdate lang.php, (2) inc charset fx.php, (3) inc config color.php, (4) inc currency set.php, (5) inc db makelink.php, (6) inc diagnostics report fx.php, (7) inc environment global.php, (8) inc front chain lang.php, (9) inc init crypt.php, (10) inc load copyrite.php, (11) inc news save.php in the include/ directory, and (12) diagnostics-report-index.php, (13) config options mascot.php, (14) barcode-labels.php, (15) chg-color.php, (16) config options gui template.php in the main/ directory.

Recommendations As a temporary workaround, consider restricting access to the root path parameter in the affected PHP files until a patch is available. Avoid using the root path parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.